qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kw...@apache.org
Subject qpid-site git commit: Add CVE-2017-15701 and CVE-2017-15702 to Broker-J security page
Date Thu, 30 Nov 2017 17:21:39 GMT
Repository: qpid-site
Updated Branches:
  refs/heads/asf-site 030c23a69 -> 6bfb1bf48


Add CVE-2017-15701 and CVE-2017-15702 to Broker-J security page


Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/6bfb1bf4
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/6bfb1bf4
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/6bfb1bf4

Branch: refs/heads/asf-site
Commit: 6bfb1bf48c18d6fe5d263f3ad6a323f3fb3991f2
Parents: 030c23a
Author: Lorenz Quack <lquack@apache.org>
Authored: Fri Nov 24 10:09:48 2017 +0000
Committer: Keith Wall <kwall@apache.org>
Committed: Thu Nov 30 17:12:35 2017 +0000

----------------------------------------------------------------------
 input/components/broker-j/security.md |  2 ++
 input/cves/CVE-2017-15701.md          | 43 ++++++++++++++++++++++++++
 input/cves/CVE-2017-15702.md          | 49 ++++++++++++++++++++++++++++++
 3 files changed, 94 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-site/blob/6bfb1bf4/input/components/broker-j/security.md
----------------------------------------------------------------------
diff --git a/input/components/broker-j/security.md b/input/components/broker-j/security.md
index e34759b..501e1c3 100644
--- a/input/components/broker-j/security.md
+++ b/input/components/broker-j/security.md
@@ -24,6 +24,8 @@
 | [CVE-2016-3094]({{site_url}}/cves/CVE-2016-3094.html) | Important | 6.0.0, 6.0.1, and 6.0.2
| 6.0.3 | Denial of service |
 | [CVE-2016-4432]({{site_url}}/cves/CVE-2016-4432.html) | Important | 6.0.2 and earlier |
6.0.3 | Authentication bypass |
 | [CVE-2016-8741]({{site_url}}/cves/CVE-2016-8741.html) | Moderate | 6.0.1, 6.0.2, 6.0.3,
6.0.4, 6.0.5, and 6.1.0 | 6.0.6, 6.1.1 | Information leakage |
+| [CVE-2017-15701]({{site_url}}/cves/CVE-2017-15701.html) | Important | 6.1.0, 6.1.1, 6.1.2,
6.1.3, and 6.1.4 | 6.1.5 | Denial of Service |
+| [CVE-2017-15702]({{site_url}}/cves/CVE-2017-15702.html) | Important | 0.18, 0.20, 0.22,
0.24, 0.26, 0.28, 0.30, and 0.32 | 6.0.0 | Authentication vulnerability |
 
 See the main [security]({{site_url}}/security.html) page for general
 information and details for other components.

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/6bfb1bf4/input/cves/CVE-2017-15701.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2017-15701.md b/input/cves/CVE-2017-15701.md
new file mode 100644
index 0000000..b6c1889
--- /dev/null
+++ b/input/cves/CVE-2017-15701.md
@@ -0,0 +1,43 @@
+# CVE-2017-15701
+
+## Severity
+
+Important
+
+## Affected components
+
+Qpid Broker-J
+
+## Affected versions
+
+6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4
+
+## Fixed versions
+
+[6.1.5]({{site_url}}/releases/qpid-java-6.1.5/index.html)
+
+## Description
+
+The broker does not properly enforce a maximum frame size in AMQP 1.0
+frames.  A remote unauthenticated attacker could exploit this to cause
+the broker to exhaust all available memory and eventually terminate.
+Older AMQP protocols are not affected.
+
+## Resolution
+
+Users who have AMQP 1.0 support enabled (default) should upgrade their
+Qpid Broker-J to version 6.1.5 or later (recommended).
+
+## Mitigation
+
+If upgrading the broker is not possible, users can choose to disable
+AMQP 1.0 by either setting the system property
+"qpid.plugin.disabled:protocolenginecreator.AMQP_1_0" to "true",
+excluding "AMQP_1_0" from the supported protocol list on all AMQP
+ports, or by removing the AMQP 1.0 related jar files from the Java
+classpath.
+
+## References
+
+[QPID-7947](https://issues.apache.org/jira/browse/QPID-7947)
+

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/6bfb1bf4/input/cves/CVE-2017-15702.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2017-15702.md b/input/cves/CVE-2017-15702.md
new file mode 100644
index 0000000..11a4eab
--- /dev/null
+++ b/input/cves/CVE-2017-15702.md
@@ -0,0 +1,49 @@
+# CVE-2017-15702
+
+## Severity
+
+Important
+
+## Affected components
+
+Qpid Broker-J
+
+## Affected versions
+
+0.18 through 0.32
+
+## Fixed versions
+
+[6.0.0]({{site_url}}/releases/qpid-java-6.0.0/index.html)
+
+## Description
+
+If the broker is configured with different authentication providers on
+different ports one of which is an HTTP port, then the broker can be
+tricked by a remote unauthenticated attacker connecting to the HTTP
+port into using an authentication provider that was configured on a
+different port.  The attacker still needs valid credentials with the
+authentication provider on the spoofed port.  This becomes an issue
+when the spoofed port has weaker authentication protection (e.g.,
+anonymous access, default accounts) and is normally protected by
+firewall rules or similar which can be circumvented by this
+vulnerability.  AMQP ports are not affected.  Versions 6.0.0 and newer
+are not affected.
+
+## Resolution
+
+Users of affected versions who have more than one port and different
+authentication providers configured on them should upgrade to a
+later unaffected version (recommended).
+
+## Mitigation
+
+If upgrading the broker is not possible then users should ensure all
+their authentication providers offer an equal amount of protection.
+In particular, authentication providers with default accounts and
+those with anonymous access should be removed if other providers in
+use require credentials.
+
+## References
+
+[QPID-8039](https://issues.apache.org/jira/browse/QPID-8039)


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message